Category:OWASP WebGoat Project

OWASP WebGoat Project

WebGoat 7.1 has been released, this release contains a lot of bug fixes for 7.0. WebGoat 7 is the latest in a series of infrastructure improvements to move WebGoat into the modern era. With the new plugin architecture and separation of the server framework from the lessons, lessons now require just a few lines of code. Lessons can now be produced without having to understand the entirety of the WebGoat server.

This release contains both the WebGoat container and 50+ lessons created by the WebGoat team. Thank you to all the volunteers!!

Help Needed:

We have an immediate need for Lesson Solutions and Lesson Translations. There may be a little work involved with creating new strings for the translations but it is fairly easy work.

We also need UI developers with experience in any/all parts of the Web stack. Please send an email to Bruce Mayhew webgoat@owasp.org and/or jason.white@owasp.org if you are interested in helping.

We'd love to update our content. If you've run across a particularly interesting exploit in the field, create a lesson for it and contribute to the community. Instructions for creating a lesson are under the General menu in WebGoat.

Introduction

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. There are other 'goats' such as WebGoat for .Net. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application aims to provide a realistic teaching environment, providing users with hints and code to further explain the lesson.

Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the 'Goat!

Description

WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:

The rest are questions we hope people ask, but maybe haven't really yet ...

Q: Do you need help?

A: Of course we would always love help, especially with testing and feedback. Experienced Java, UI and Design folk are welcome as well. Security professionals willing to develop content are also welcome, of course.

A: As of WebGoat 7, the architecture is more modular and lessons can be loaded dynamically. The first repo is for the 'container' or main 'framework' for containing lessons. The WebGoat-Lessons repo. is for lesson development

Q: How do I author a lesson for WebGoat?

A: For WebGoat 7 you can take a look at any existing lesson (see https://github.com/WebGoat/WebGoat-Lessons), copy it to a new project and implement your own lesson. For WebGoat 8, we plan to make that much simpler (read, no more ECS!).

Volunteers

The WebGoat project is run by Bruce Mayhew. He can be contacted at webgoat AT owasp.org. WebGoat distributions are currently maintained on GitHub. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat mailing list.

Testers are always welcome/needed. Again, log issues and features requests at https://github.com/WebGoat/WebGoat. If you are a college or university and would like to use WebGoat for classes, we'd especially love to hear your feedback and what content/lessons you would like to see added to the project.

Adding content/lesssons We are working to make adding your own content easier and to integrate with other OWASP projects/content. We'd love to hear from you to move this forward.

PROJECT INFOWhat does this OWASP project offer you?

RELEASE(S) INFOWhat releases are available for this project?

what

is this project?

Name: OWASP WebGoat Project

Purpose: WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard